HP CIFS Server Administrator's Guide (5900-1282, April 2011)
Kerberos v5 Client D.1.6.2 or later or HP-UX 11i v2◦
◦ Kerberos v5 Client E.1.6.2 or later on HP-UX 11i v3
• Service Pack 1 is recommended for Windows 2003, and required for inter-operation with
Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2 or later
on HP-UX 11i v3.
• HP-UX LDAP-UX Integration product
• Windows 2000, Windows 2003, or Windows 2008 Server domain.
• Windows 2000 or Windows XP Client
Configuring krb5.keytab
Here are the required components to configure HP CIFS Server with HP-UX Internet Services
co-existence:
• Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2 or later
on HP-UX 11i v3.
• /etc/krb5.conf file
• /etc/opt/samba/smb.conf file
• /etc/krb5.keytab file
• net ads keytab create command
The first task is to configure HP CIFS Server for Kerberos authentication and join it to a Windows
domain.
Use the following steps to generate a valid keytab file and to configure an HP CIFS Server to access
the keytab file:
1. Add the default_keytab_name parameter with the FILE attribute in the /etc/krb5.conf
file. The Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2
or later on HP-UX 11i v3 is required for the FILE attribute.
An example of /etc/krb5.conf for HP CIFS Server keytab creation is as follows:
# Kerberos configuration
[libdefaults]
default_realm = MYREALM.HP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
default_keytab_name = "FILE:/etc/krb5.keytab"
[realms]
MYREALM.HP.COM = {
kdc = HPWIN2K4.MYREALM.HP.COM:88
admin_server = HPWIN2K4.MYREALM.HP.COM
}
[domain_realm]
.hp.com = MYREALM.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
2. Run the net ads keytab create -U administrator command to generate an
/etc/krb5.keytab file.
3. To configure the HP CIFS Server to read /etc/krb5.keytab, set the use kerberos
keytab parameter in /etc/opt/samba/smb.conf to yes.
An example of /etc/opt/samba/smb.conf is as follows:
HP-UX Kerberos Application Co-existence 111